Yet another CFIDE vulnerability!

Question

RE: http://www.adobe.com/support/security/advisories/apsa13-03.html Open letter to Adobe… Adobe, Please assign someone to trend all the ColdFusion vulnerabilities for the last five years. I am certain you'll find that a vast majority of them revolve around the CFIDE directory. Idea: Instead of endlessly patching the CFIDE modules every time a vulnerability is found or exploited, if you were to eliminate the CFIDE directory ColdFusion would probably be one of the more secure web platforms on the market. Just a thought. For users of ColdFusion, my advice is to remove the CFIDE virtual directory from all your public facing sites. If your site requires the CFIDE/scripts directory, point the CFIDE virtual directory to an empty directory and then create a "scripts" virtual directory under it and point it to the original /CFIDE/scripts location. Poof -- probably 80% or more of the CF vulnerabilities avoided. ColdFusion is a great platform and can be very secure -- minus the CFIDE.

Carl Von Stetten · Answer

Or if users would follow the CF lockdown guides for all production servers... What would be really nice is if the Web Server Configuration Tool had a "secure" checkbox that implemented most of the lockdown guide instructions automatically, and was by default set to checked (users would have to uncheck the box to not implement the lockdown guide).

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded